Safe setup of an additional “dangerous” LAN which has a Server

  • ATTENTION! As of November 1, 2020, you are not able to reply to threads 6 months after the thread is opened if there are more than 500 posts in the thread.
    Threads will not be locked, so posts may still be edited by their authors.
    Just start a new thread on the topic to post if you get an error message when trying to reply to a thread.

Mike68

New Around Here
Current setup - two routers connected in a cascading fashion:

Current_State.png


For convenience - let's name our networks:
* 192.168.0.0/24 as "Net A".
* 192.168.11.0/24 as "Net B".

I need to connect a third network - which is considered dangerous - call it "Net C".
Therefore, the needs & restrictions on this network are as follows:
* Net C cannot initiate connections to Net A or Net B.
* Net A or Net B may initiate connections to a Server in Net C.
* Internet connection is allowed for all networks - including Net C.

This is illustrated in the following diagram:
Network_safety_needs.png


However, I don't know a standard method to solve this.

I was thinking about a solution which treats Net C as just "another WAN" (because WAN is considered dangerous for LANs).
Therefore, instead of connection the 3rd Router's WAN port to the Main Router LAN port, then I connect LAN port to LAN port.

This is illustrated in the following diagram:
my_proposed_incomplete_solution.png


Yet again, I'm not fully certain about the proper method which meets the three needs which are detailed above.
 

L&LD

Part of the Furniture
Put the 'dangerous' network as the main, firewall the other two by using a router in router mode.
 

Mike68

New Around Here
Put the 'dangerous' network as the main, firewall the other two by using a router in router mode.
I should've mentioned this:

The server shouldn't really be public - I prefer to protect it from outsiders.

There's a limited & small number of privileged users who may connect to this Server from the internet (via VPN).
All these privileged users are also members of the LAN network.

Also, I prefer to avoid your suggested approach because that I want to protect the ISP account from being abused by the users in the "dangerous" network.

Meaning:
  • Some devices in the Dangerous Network may be abused as bots.
    These bots could abuse the ISP internet account.
  • Only the server is considered "safe" enough - but even that isn't a guarantee.
  • I prefer to keep the structure of the current state (as in the first image) intact - using the same Main Router and the same 2nd Router.
 
Last edited:

L&LD

Part of the Furniture
Seems like you are contradicting yourself to me?

Instead of cryptic labels, can you specify the actual client devices instead?
 

sfx2000

Part of the Furniture
Instead of running multiple routers - just get and setup a decent Layer 3 switch and use VLAN's...

Sounds like OP is making it harder than it needs to be.
 

dosborne

Very Senior Member
Some devices in the Dangerous Network may be abused as bots.
You should seriously reconsider if you want them anywhere near your network, or running under your ISP account if this statement is true. If they are internet accessible, or have access to the internet, why on earth would you want them connecting through a wan that ties back to you?
 

Mike68

New Around Here
Hi guys,

I'll explain better.

The 'dangerous network' is a cameras system which connects to a standard home network.
It is considered 'dangerous' because that technically it is easily possible to connect to this network with some rogue device and thus perform malicious actions.
The server is a device which records input from cameras. Users are able to connect to this server and watch recordings.
It is conventionally acceptable to believe that this kind of server isn't a top-notch from security perspective - meaning it could "easily" be affected - either from the internal 'dangerous network' or from external WAN visitors (assuming it is exposed to the internet).


Therefore I want to make sure that security is tight.


@sfx2000:
I was thinking of VLANs but how exactly am I supposed to do this while meeting all the three needs?
I'll emphasize that:
* Net A and Net B should be able to initiate communication with the Server in Net C (via a specific port).
* BUT, the server (or other devices) in Net C must be forbidden to initiate communication with the devices in Net A or Net B.
 

CaptainSTX

Part of the Furniture
Current setup - two routers connected in a cascading fashion:

View attachment 27684

For convenience - let's name our networks:
* 192.168.0.0/24 as "Net A".
* 192.168.11.0/24 as "Net B".

I need to connect a third network - which is considered dangerous - call it "Net C".
Therefore, the needs & restrictions on this network are as follows:
* Net C cannot initiate connections to Net A or Net B.
* Net A or Net B may initiate connections to a Server in Net C.
* Internet connection is allowed for all networks - including Net C.

This is illustrated in the following diagram:
View attachment 27685

However, I don't know a standard method to solve this.

I was thinking about a solution which treats Net C as just "another WAN" (because WAN is considered dangerous for LANs).
Therefore, instead of connection the 3rd Router's WAN port to the Main Router LAN port, then I connect LAN port to LAN port.

This is illustrated in the following diagram:
View attachment 27686

Yet again, I'm not fully certain about the proper method which meets the three needs which are detailed above.

What you are setting up is a classic double NAT.

The simplest way is to make your plan works is make C your Internet facing router then connect A & B routers to LAN ports on the C router and a WAN port on both A & B. A and B can access C devices but C can't access devices on either A or B.

Regardless of what some people say double NAT will not increase your latency and works fine. What becomes difficult is if you want to run a server of any type on A or B as it will require double port forwards.
 

Mike68

New Around Here
Hi @CaptainSTX ,

I like your suggestion, it is sensible and meets the needs.

I have a concern about it:
  • The Main Router has a very good QoS, thus it has to be connected to WAN.
  • I want to perform bandwidth limiting and allow only specific outgoing ports (outbound firewall) for the dangerous network.
  • By having bandwidth limiting - it will disable the QoS of the Main Router.
  • The Main Router doesn't have a good outbound firewall.

Moreover, perhaps a far fetched scenario (?) - a rogue device could exploit the direct LAN connection to the Router for gaining acccess to it or taking control (Much more difficult for a WAN user).

A less critical issue is that in the Main Router, I won't be able to differentiate the users under the tools which monitor users, because of the router of Net A/B which would conceal them.


Do you think that the idea which I raised about treating Net C as "another WAN" is possible/good ?
I mean to the diagram in this link.
It has the benefit of expanding the network (Net A) coverage in an additional place.
 

ColinTaylor

Part of the Furniture
What hardware, and more importantly, firmware as you using for your routers. Without knowing that it's difficult for people to make specific recommendations. For example a VLAN solution would be the most obvious, but if your devices don't support VLANs... Also, how much money are you prepared to spend buying or replacing devices to get this working? Do you have any preferred software, e.g. pfSense?
 

CaptainSTX

Part of the Furniture
Hi @CaptainSTX ,

I like your suggestion, it is sensible and meets the needs.


Do you think that the idea which I raised about treating Net C as "another WAN" is possible/good ?
I mean to the diagram in this link.
It has the benefit of expanding the network (Net A) coverage in an additional place.

I'm not sure what you are showing would work for router 3 where you feed it from the main router to a LAN port and in turn show it feeding a switch from the WAN port. By connecting main router from a LAN to a LAN port it effectively becomes an AP and the WAN port could either be another LAN port or it might not function at all.

As for hijacking a LAN by plugging into an Ethernet port not much you can do except look at list of connected devices and if you see one you don't recognize find it and remove it from your network. Keep in mind though that a device of any connection type that connects to the primary Internet connected router will not be able to any type of device connected to a double NATed router upstream. Just be sure to block access to a router from the WAN.

For the level of security you are looking for you may need to use smart switches that allow you to set up VLANs as others have recommended.

I have all my IoT devices on my first router then double NATed behind this router is my second router and this router feeds a switch which I use to provide three VLANs classified for use with video, secure, and very secure devices. You can buy an eight port smart switch for as little as US$29. Or as others have recommended build a router using a router OS such as Pfsense but be prepared to spend a fair amount of time programming it and getting it setup.

Probably overkill but as with many posters on this sight I do it because I want to or can not because it is really necessary.
 

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top